Operations

Run Mandate day to day.

Once policies are authored and traffic is flowing, your admins live here. A dashboard for what's happening right now, an audit trail for what happened earlier, cryptographic proof when something needs to be defensible, usage figures for capacity planning, and signed delivery into your SIEM so your security stack stays the system of record.

Your dashboard

See what's happening, at a glance.

The first screen when an admin signs in. Request volume over the last 24 hours, decision mix by hour, the most recent blocks and redactions, and team activity. Designed for the question "is anything weird going on?" Not for buried-three-clicks-deep investigation.

The dashboard an admin lands on. A KPI row across the top covers request volume and decision counts for the last 24 hours. Below, a request-volume area chart sits next to a decision-mix bar chart. A 'Recent blocks' list shows the latest block decisions with timestamp, rule id, and provider; a 'Team activity' card shows recent policy edits and approvals.
The dashboard: what's happening now, at a glance.

Audit trail

Every decision, queryable, replayable.

Filter the full audit log by date range, decision, provider, model, or correlation id. Cursor-paginated to handle a year of traffic without scrolling jank. For events that retained the request body (your tenant's choice), an inspector drawer shows the request and response with secrets masked. For every event, the proof drawer opens the cryptographic record, covered in the next section.

Audit trail page. A filter bar at the top has From and To datetime inputs, a Decisions checkbox group (allow, warn, redact, block, error), and Correlation ID, Provider, and Model text inputs. The results table below has columns Occurred, Decision, Provider, Model, Correlation, Connector, Retention, Proof, and Trace — populated with rows of recent audit events. Each row has a 'View proof' button in the Proof column.
Audit trail: filter, paginate, inspect, prove.

Cryptographic proof

Verify any record. In your browser. No Mandate tooling needed.

Every audit event sits inside a hash-chained sequence that's anchored by a signed checkpoint. Click "View proof" on any event and a drawer fetches the checkpoint's export bundle, then verifies the Ed25519 signature over the Merkle root locally in your browser. Green badge means the chain has not been tampered with. The signing public key fingerprint is shown so your auditor can pin it. The Merkle root and signature are exposed as copy-fields for an external verification if your audit team wants to re-run the math.

The chain-proof drawer slid in from the right at 640px wide over the audit trail. A green 'Verified' chip sits at the top. Below it a definition list shows Checkpoint id, Window (start to end), Event count, and Public key fingerprint (lowercase hex, 64 chars). Two copy-fields show the Merkle root (hex) and the Ed25519 signature (hex) with a Copy button each. A short hint at the bottom reads that the verification ran locally in the browser.
Chain-proof drawer: the auditor receipt, verified in your browser.
  • No round-trip to Mandate to verify

    The export bundle carries the public key alongside the signature. Verification runs in the browser using SubtleCrypto.verify. An auditor with the bundle can re-run the verification with any Ed25519 library. The math doesn't need our cooperation.

  • Tamper-evident, not just tamper-resistant

    Per-row hash chain. Periodic signed checkpoints. Any altered row breaks the chain at that point. Any altered checkpoint fails the signature check. Auditors don't need to trust Mandate; they need to verify the chain.

  • Pinnable public-key fingerprint

    The signing public-key fingerprint is published alongside every proof. Your auditor pins it. If the fingerprint ever changes, your team is the first to know.

Usage tracking

Tokens, requests, latency.

A hero strip of usage tiles — total requests, total tokens, p50 / p95 / p99 latency — over a window you pick. Below: a filterable, paginated table of usage events. Filter by date, correlation id, provider, or model. No dollar amounts on the surface — Mandate displays tokens, requests, latency, and policy decisions. Provider costs stay on the bill from your provider; Mandate's per-seat subscription stays in the Stripe customer portal. Two clean accounting boundaries; no surprise gauges.

Usage tracking page. A hero strip of tiles at the top shows total requests, total tokens, and p50/p95/p99 latency for the selected window. Below the tiles, a filter row covers From, To, Correlation ID, Provider, and Model inputs. A paginated data table lists usage events with columns for timestamp, provider, model, request bytes, response bytes, prompt tokens, completion tokens, duration, decision, correlation, and connector.
Usage tracking: tokens, latency percentiles, no dollar axis.

SIEM integration

Push every event to your SIEM.

Audit events are exportable as signed JSON webhooks to Microsoft Sentinel, Splunk, or any endpoint that accepts a signed payload. You configure the endpoint, a key identifier for signature rotation, the retry budget, and the timeout. A Test button sends a representative payload to your endpoint and surfaces the upstream HTTP status, so you can verify the integration before traffic flows. Once it's live, signatures rotate on your key-identifier schedule, and a retention worker keeps delivery history bounded.

Want to see this against your traffic?
30-day pilot, written criteria.

A pilot puts a populated dashboard and a real audit trail in front of your team for a month, with the criteria for a "yes" or "no" agreed in writing before day one.

Start a 30-day pilot See the Workbench

contact@mandateco.ca  ·  1-905-630-1908